Description
Problem Statement
Many Kubernetes applications are packaged as Helm charts, which produce those manifests only after templating.
Currently, Kyverno has no built-in capability to take a Helm chart as input and scan it for policy violations. Users must manually render the chart (e.g. via helm template) to obtain the YAML, then run Kyverno’s CLI to detect any policy issues. This extra step is cumbersome and error-prone, especially in automated pipelines. In fact, the community has created external solutions (like a GitHub Action) to fill this gap by templating charts and then invoking Kyverno https://github.com/ckotzbauer/kyverno-test-action. This indicates a need for a native Kyverno feature that can directly process Helm charts.
Solution Description
Proposal
Introduce a new capability in the Kyverno project to scan Helm charts directly for policy violations. There are a couple of ways this could be implemented:
-
Extend the Kyverno CLI: Add support for a flag or subcommand (for example,
kyverno apply --chart <chart_path> --values <values_file>) that accepts a Helm chart directory or packaged chart. The CLI would internally utilize the Helm SDK to render the templates with the given values, producing the Kubernetes manifests, then immediately apply the Kyverno policies to those manifests in-memory. This avoids requiring users to invokehelm templatethemselves. The output would be the same as scanning the rendered YAML – listing any policy violations or successes – but all in one step. -
Helm Plugin Approach: Alternatively, provide a Helm plugin (e.g.
helm kyverno) that hooks into the Helm CLI. This plugin could internally call Kyverno’s logic to validate a chart. For instance, a user could runhelm kyverno lint <chart>to get Kyverno policy feedback. This approach would integrate naturally for Helm users, similar to how tools like Datree have a Helm plugin for chart validation datreeio. Under the hood, it might invoke the Kyverno CLI or library with the rendered output. -
Kyverno Git Repository Bot: Kyverno Scans git repository and comes up with a pr with suggested changes on helm charts depending on the defined policies.
Alternatives
https://github.com/ckotzbauer/kyverno-test-action
https://polaris.docs.fairwinds.com/infrastructure-as-code/#audit-helm-charts
Slack discussion
No response
Research
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.